Agent Scan Assess

securitymcpgovernanceagent-securityscanningtool-poisoningprompt-injectionagent-supply-chainsnyk

Overview

Agent Scan is Snyk's agent supply-chain security scanner for discovering and scanning local AI agent components, including MCP servers, agent skills, tools, prompts, and resources. The published snyk-agent-scan package describes it as a scanner for agents, MCP servers, and skills that inventories installed agent components and checks for prompt injections, sensitive data handling, malware payloads hidden in natural language, tool poisoning, toxic flows, and agent-skill vulnerabilities (PyPI). The related mcp-scan package is now a redirect package that installs snyk-agent-scan and forwards the mcp-scan CLI to it, which is important for teams that previously evaluated the Invariant Labs tooling under the older name (PyPI).

Agent Scan should be assessed because it addresses a real and fast-growing blind spot: agentic developer tools now load MCP servers and skills that can contain executable commands, natural-language instructions, tool descriptions, credentials handling, and runtime data paths. Snyk's ToxicSkills research scanned 3,984 skills and found that 36.82% had at least one security flaw, 13.4% had a critical-level issue, and 76 malicious payloads were confirmed through human review, showing why agent-skill and MCP supply-chain scanning deserves explicit attention (Snyk).

Adoption Signals

  • The snyk-agent-scan package exposes uvx snyk-agent-scan@latest for full-machine scans that auto-discover agents, MCP servers, and skills, and it also supports targeted scans of MCP configuration files, individual SKILL.md files, and skill directories such as ~/.claude/skills (PyPI).
  • Agent Scan supports common developer AI environments and clients, including Cursor, VS Code, Claude Code, Gemini CLI, Windsurf, Amp, Antigravity, Codex, Amazon Q, Claude Desktop, and OpenClaw, with varying MCP and skills coverage by operating system (PyPI).
  • Snyk says Agent Scan powers Vercel's skills.sh security integration and combines customized LLM-based judges with deterministic rules to analyze both execution logic and natural-language instructions in skills (Snyk).
  • The public GitHub repository is Apache-2.0 licensed, Python-based, created in April 2025, and has visible activity into May 2026, with repository metadata listing AI, MCP, Model Context Protocol, agent, and security topics (GitHub API).
  • The broader category is becoming mainstream: Cisco’s AI Agent Security Scanner brings MCP server scanning, agent skill scanning, secure-code guidance, and configuration integrity monitoring directly into IDE workflows for Cursor, VS Code, and Windsurf (Cisco).

Risks

  • Execution risk during scanning is explicit: when Agent Scan scans an MCP configuration, it starts stdio MCP servers by executing the configured command and arguments to retrieve tool descriptions, so teams should review consent prompts and run scans in a sandbox for untrusted or third-party MCP configs (PyPI).
  • API and metadata sharing must be reviewed: Agent Scan validates components with local checks and by invoking the Agent Scan API, sharing skills, agent applications, tool names, and descriptions with Snyk; it states that it does not store or log MCP tool-call contents or results (PyPI).
  • Dangerous automation flags need guardrails: non-interactive environments require --dangerously-run-mcp-servers to bypass consent and automatically start all configured stdio servers, which should only be used after server commands have been verified (PyPI).
  • Scanner coverage is not complete runtime protection because toxic flows can emerge from dynamic combinations of tools, sensitive data, untrusted instructions, and exfiltration channels at runtime; Invariant Labs positions toxic-flow analysis as a hybrid framework that combines static agent/tool information with runtime data (Invariant Labs).
  • Operating-model maturity is still developing because Agent Scan is closed to external contributions, accepts suggestions through issues, and should be validated for local false positives, remediation ownership, and policy fit before becoming a mandatory gate (PyPI).

Pros & Cons

Advantages

  • Auto-discovers local agent components, including MCP configurations, agent tools, and skills across common developer AI clients.
  • Detects agent-specific risks such as prompt injection, tool poisoning, tool shadowing, toxic flows, malware payloads, untrusted content, credential handling, and hardcoded secrets.
  • Provides both an engineer-facing scan mode and a background monitoring mode for security teams that need company-wide agent supply-chain visibility.

Disadvantages

  • Scanning MCP configurations can execute the commands defined in those configurations, so untrusted MCP servers must be reviewed and scanned in a sandbox.
  • Validation invokes the Agent Scan API and shares skills, agent applications, tool names, and descriptions with Snyk, which may not fit all privacy or regulated-environment policies.
  • The project is still young, closed to external contributions, and scanner findings should be validated locally before being used as mandatory delivery gates.

Recommendation

Assess Agent Scan as an agent supply-chain visibility and security-control candidate for teams using Claude Code, Cursor, VS Code, Windsurf, Gemini CLI, Codex, MCP servers, or installable agent skills. Start with advisory scans on developer machines and representative CI environments, using uvx snyk-agent-scan@latest, targeted MCP config scans, and skill-directory scans to inventory the local agent surface. Before introducing mandatory gates, validate the scanner's findings against known-good and intentionally vulnerable configurations, document what metadata is sent to Snyk, decide whether sandboxed scanning is required, and define who owns remediation for unsafe MCP servers, skills, prompt injections, toxic flows, secrets, and credential-handling issues.

Sources